Aadhaar details of all registered users are exposed online by the vulnerable system of a state-owned utility service provider, according to a new report. The report claims this issue was brought to the notice of the Indian government over a month ago, but no action has been taken yet to fix the issue. The data vulnerable to the leak includes personal information of users, Aadhaar number, as well as the names of banks in which they have accounts. Worryingly, it is not only consumers registered with the utility service that are reported to be at risk, but all Aadhaar users.
According to a ZDNet report, the endpoint vulnerability was discovered by Delhi-based security researcher Karan Saini. The report does not mention the name of the utility service provider, and only mentions it is a state-owned entity. It has reportedly not secured the API, which can expose the Aadhaar details of all citizens.
The report says, “The API's endpoint - a URL that we are not publishing - has no access controls in place. The affected endpoint uses a hardcoded access token, which, when decoded, translates to ‘INDAADHAARSECURESTATUS’, allowing anyone to query Aadhaar numbers against the database without any additional authentication.”
Saini, the report claims, also discovered the API does not employ any rate limiting, which makes it vulnerable to hackers attempting to steal Aadhaar information by going through any number of permutations — potentially trillions — in order to get a successful result.
For example, the report quotes Saini as saying, “it would be possible to enumerate Aadhaar numbers by cycling through combinations, such as 1234 5678 0000 to 1234 5678 9999. And because there is no rate limiting, Saini said he could send thousands of requests each minute — just from one computer.”
"An attacker is bound to find some valid Aadhaar numbers there, which could then be used to find their corresponding details," Saini says in the report. The data is reportedly being updated regularly “from as early as 2014 to mid 2017”, and “it seems that everyone's information is available, with no authentication”
As for the information revealed by the leak, Saini was reportedly able to access the names of the Aadhaar holders, their consumer number (assigned by the utility service provider, not UIDAI), and the banks they in which they have accounts. In fact, anyone who has your Aadhaar number can check the linked bank accounts via a simple text message.
The government was informed of this data leak by ZDNet over a month via email that elicited no response. The publication then reached out to the Indian Consulate in New York and Devi Prasad Misra, consul for trade and customs. Over a two-week period, emails explaining the situation and follow-up questions were exchanged, but the vulnerability was not fixed. The last email, which the publication claims to have sent at the start of the week, did not get a reply either.